WAF++ WAF++
Back to WAF++ Homepage

Controls (WAF-COST)

The Cost Optimization pillar is operationalized through 10 measurable controls. Each control has a unique ID in the format WAF-COST-NNN, a severity rating, machine-readable YAML checks and a maturity level graduation.

The YAML source files are located under modules/controls/controls/WAF-COST-*.yml and can be executed directly by the WAF++ Checker tool.

Controls Overview

Control ID Title Severity Category

WAF-COST-010

Cost Allocation Tagging Enforced

High

Cost Allocation

WAF-COST-020

Cost Budgets & Alerting Configured

High

Budget Control

WAF-COST-030

Resource Rightsizing & Idle Detection

Medium

Resource Optimization

WAF-COST-040

Storage & Retention Lifecycle Defined

High

Retention Management

WAF-COST-050

Cost Impact Assessment in Architecture Decision Records

High

Architectural Cost Debt

WAF-COST-060

FinOps Review Cadence

Medium

FinOps Governance

WAF-COST-070

Observability & Logging Cost Tiers

Medium

Observability Cost

WAF-COST-080

Commitment & Reserved Capacity Planning

Medium

Cost Optimization

WAF-COST-090

Data Transfer & Egress Cost Management

High

Data Transfer

WAF-COST-100

Architectural Cost Debt Register & Quarterly Review

Medium

Architectural Cost Debt

WAF-COST-010 – Cost Allocation Tagging Enforced

Severity: High | Category: Cost Allocation | Automatable: High

Intent: Without tagging, no cost attribution is possible. Without cost attribution, no optimization is possible.

Requirement: All cloud resources MUST carry the mandatory tags: cost-center, owner, environment, workload. Missing tags MUST be treated as violations in the CI gate. No deployment without full tagging compliance.

Terraform Checks (excerpt):

  • waf-cost-010.tf.any.resource-mandatory-tags – All resources must have cost-center, owner, environment, workload tags

  • waf-cost-010.tf.aws.compute-tags-complete – EC2 instances must carry all mandatory tags

  • waf-cost-010.tf.azurerm.resource-group-tags – Azure resource groups with mandatory tags

  • waf-cost-010.tf.google.resource-labels-mandatory – GCP resources with mandatory labels

Evidence:

  • Tagging taxonomy document (versioned)

  • CI gate configuration with mandatory tag check

  • Tagging compliance report (monthly, target >= 95%)

Best Practice: Cost Allocation Tagging

WAF-COST-020 – Cost Budgets & Alerting Configured

Severity: High | Category: Budget Control | Automatable: High

Intent: Budget overruns discovered only in the monthly bill are too late.

Requirement: For every cloud account/subscription, a budget limit MUST be defined as an IaC resource. Alerts MUST be triggered automatically at 80% and 100% of the budget limit. Budget resources MUST be versioned and reviewable (not set in the console UI).

Terraform Checks (excerpt):

  • waf-cost-020.tf.aws.budgets-budget-existsaws_budgets_budget resource must exist

  • waf-cost-020.tf.aws.budget-alert-80-percent – Alert at 80% budget consumption configured

  • waf-cost-020.tf.azurerm.consumption-budget-definedazurerm_consumption_budget_resource_group exists

  • waf-cost-020.tf.google.billing-budget-configuredgoogle_billing_budget resource present

Evidence:

  • Terraform budget resources in the repository

  • Alert configurations with notification channels

WAF-COST-030 – Resource Rightsizing & Idle Detection

Severity: Medium | Category: Resource Optimization | Automatable: Medium

Intent: Over-provisioning is the most common form of cloud waste.

Requirement: All persistent compute resources MUST carry the tag rightsizing-reviewed with a date (< 90 days). Idle detection MUST be configured. Instances without a current rightsizing review are considered non-compliant.

Terraform Checks (excerpt):

  • waf-cost-030.tf.aws.ec2-rightsizing-tag-required – EC2 instances must have rightsizing-reviewed tag

  • waf-cost-030.tf.azurerm.vm-rightsizing-tag – Azure VMs with rightsizing-reviewed tag

  • waf-cost-030.tf.aws.no-persistent-t2-micro-without-justification – Excessively small instances without justification

  • waf-cost-030.tf.google.compute-rightsizing-tag – GCP compute instances with rightsizing tag

Evidence:

  • Rightsizing review records (monthly)

  • Compute Optimizer / Azure Advisor / GCP Recommender export

  • Tag compliance report for rightsizing-reviewed

WAF-COST-040 – Storage & Retention Lifecycle Defined

Severity: High | Category: Retention Management | Automatable: High

Intent: Infinite retention is not a strategy. It is Architectural Cost Debt.

Requirement: All storage resources MUST have explicit lifecycle policies. All log groups MUST have a retention_in_days setting != 0 and != null. No S3 bucket, no Azure storage, no GCS bucket without defined lifecycle rules.

Terraform Checks (excerpt):

  • waf-cost-040.tf.aws.s3-lifecycle-rule-defined – S3 buckets must have lifecycle_rule

  • waf-cost-040.tf.aws.cloudwatch-log-retention-set – CloudWatch log groups must have retention_in_days != 0

  • waf-cost-040.tf.azurerm.storage-lifecycle-policy – Azure storage with lifecycle policy

  • waf-cost-040.tf.google.gcs-bucket-lifecycle – GCS buckets with lifecycle rule

Evidence:

  • Terraform lifecycle configurations of all storage and log resources

  • Retention strategy document (tiering: Hot/Warm/Cold/Archive)

WAF-COST-050 – Cost Impact Assessment in Architecture Decision Records

Severity: High | Category: Architectural Cost Debt | Automatable: Partial

Intent: Architectural cost debt arises in architecture decisions – that is where it must also be prevented.

Requirement: Every ADR with infrastructure impact MUST contain a structured cost impact section: TCO estimate, lock-in risk score (1–5), data transfer cost estimate, operational effort (FTE), exit cost estimate, 3-year NPV. ADRs with lock-in score >= 4 require architecture board approval.

Terraform Checks (excerpt):

  • waf-cost-050.tf.any.adr-cost-section-present – ADR file format validation (cost section present)

  • waf-cost-050.tf.any.high-lockin-services-tagged – Resources with lock-in score tag (lock-in-risk >= 4)

Evidence:

  • ADR documents with completed cost impact section

  • Architecture board approvals for lock-in score 4/5 decisions

Best Practice: Managing Architectural Cost Debt

WAF-COST-060 – FinOps Review Cadence

Severity: Medium | Category: FinOps Governance | Automatable: Low–Medium

Intent: FinOps without structured review cycles is not a discipline – it is hope.

Requirement: Monthly engineering reviews MUST take place (action items, owner, due date documented). Quarterly architecture board reviews MUST take place (cost debt register sign-off). Review records MUST be available in writing and accessible.

Terraform Checks (excerpt):

  • waf-cost-060.tf.any.finops-review-tag-current – Workload tags contain last-finops-review with date (< 45 days)

  • waf-cost-060.tf.any.cost-debt-register-exists – Cost debt register file present in repository

Evidence:

  • Monthly review records with action item list (last 3 months)

  • Quarterly architecture board review record with cost debt sign-off

Best Practice: Implementing FinOps Processes

WAF-COST-070 – Observability & Logging Cost Tiers

Severity: Medium | Category: Observability Cost | Automatable: High

Intent: Observability costs are among the fastest-growing and hardest-to-control cloud cost drivers.

Requirement: Log groups MUST be categorized by retention tier (Hot: 7–30d, Warm: 30–90d, Cold: 90–365d, Archive: >365d). DEBUG level logging in production is prohibited without explicit justification. CloudWatch log groups MUST NOT have retention_in_days = 0. Trace sampling MUST be configured for high-volume services.

Terraform Checks (excerpt):

  • waf-cost-070.tf.aws.cloudwatch-retention-not-infinite – Log group retention_in_days != 0 (not unlimited)

  • waf-cost-070.tf.aws.cloudwatch-retention-max-365 – Operational log groups: retention_in_days ⇐ 365

  • waf-cost-070.tf.azurerm.log-analytics-retention-defined – Azure Log Analytics with explicit retention

  • waf-cost-070.tf.google.cloud-logging-bucket-retention – GCP logging bucket with defined retention

Evidence:

  • Terraform log group configurations with retention settings

  • Log tiering strategy document

  • Observability cost share of total budget (target: < 20%)

Best Practice: Retention Strategy

WAF-COST-080 – Commitment & Reserved Capacity Planning

Severity: Medium | Category: Cost Optimization | Automatable: Medium

Intent: Running baseline workloads permanently on-demand means 30–60% higher costs without added value.

Requirement: Compute resources with >= 70% utilization over 30 days MUST be covered with reservations. All on-demand baseline instances MUST carry the tag capacity-commitment: reviewed with date. Spot/preemptible instances are preferred for variable workloads.

Terraform Checks (excerpt):

  • waf-cost-080.tf.aws.ec2-commitment-tag – EC2 instances must carry capacity-commitment tag

  • waf-cost-080.tf.aws.reserved-instance-coverage-tag – Baseline instances with RI coverage tag

  • waf-cost-080.tf.azurerm.vm-commitment-tag – Azure VMs with commitment review tag

Evidence:

  • Reservation portfolio export (quarterly)

  • RI utilization report (target: >= 80%)

  • Savings plan analysis

WAF-COST-090 – Data Transfer & Egress Cost Management

Severity: High | Category: Data Transfer | Automatable: Medium

Intent: Data transfer and egress costs are the most frequently underestimated cloud cost drivers.

Requirement: VPC Endpoints MUST be deployed for S3, KMS and internal services. Public IPs on internal compute resources are prohibited. CDN MUST be configured for publicly accessible media/assets. An egress budget alert MUST exist.

Terraform Checks (excerpt):

  • waf-cost-090.tf.aws.vpc-endpoint-s3-exists – VPC endpoint for S3 in every used VPC

  • waf-cost-090.tf.aws.no-public-ip-internal-compute – Internal EC2 instances without public IP

  • waf-cost-090.tf.aws.cloudfront-for-s3-public-assets – CloudFront in front of public S3 buckets

  • waf-cost-090.tf.azurerm.storage-private-endpoint – Azure storage with private endpoint

Evidence:

  • VPC endpoint resources in Terraform code

  • Egress cost trend (monthly)

  • CDN configuration for public assets

Best Practice: Greenfield FinOps by Design

WAF-COST-100 – Architectural Cost Debt Register & Quarterly Review

Severity: Medium | Category: Architectural Cost Debt | Automatable: Partial

Intent: Undocumented cost debt is uncontrolled cost debt.

Requirement: A cost debt register MUST exist in the repository with: description, owner, estimated annual impact (€), creation date, target resolution date, status (monitoring/paydown/accepted), paydown plan or acceptance rationale. A quarterly architecture board review entry MUST be present.

Terraform Checks (excerpt):

  • waf-cost-100.tf.any.cost-debt-register-file-existscost-debt-register.yml present in repository

  • waf-cost-100.tf.any.quarterly-review-entry-current – Current quarterly review entry present

Evidence:

  • Versioned cost debt register (YAML or Markdown) in the repository

  • Quarterly architecture board review record (last 2 quarters)

Best Practice: Managing Architectural Cost Debt